SenderKit

Last updated: 2026-05-29

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Neurabyte LLC(dba SenderKit) (“SenderKit,” “Processor”) and the customer (“Customer,” “Controller”) and applies where SenderKit processes Personal Data on Customer’s behalf. Capitalized terms not defined here have the meaning given in the Terms.

1. Definitions

Data Protection Laws” means all laws applicable to the processing of Personal Data under the Terms, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and U.S. state privacy laws (including the CCPA/CPRA). “Personal Data,” “processing,” “controller,” “processor,” and “data subject” have the meanings given in the applicable Data Protection Laws. “Customer Personal Data” means Personal Data contained in Customer Content that SenderKit processes on Customer’s behalf. “Sub-processor” means a third party engaged by SenderKit to process Customer Personal Data.

2. Relationship of the parties; processing

With respect to Customer Personal Data, Customer is the controller (or, where Customer is itself a processor, the processor acting on behalf of a third-party controller) and SenderKit is the processor. SenderKit will process Customer Personal Data only:

  • to provide and support the Services under the Terms;
  • in accordance with Customer’s documented instructions, including the Terms and Customer’s configuration and use of the Services; and
  • as required by applicable law, in which case SenderKit will, where permitted, inform Customer of that legal requirement.

Customer is responsible for the accuracy and lawfulness of its instructions and for having an appropriate legal basis for the processing.

3. Confidentiality

SenderKit will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process such data only as necessary to provide the Services.

4. Authorized sub-processors

Customer authorizes SenderKit to engage the sub-processors listed at senderkit.com/subprocessors. SenderKit will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for its sub-processors’ performance. SenderKit will provide a mechanism to notify Customer of changes to its sub-processors and will give Customer a reasonable opportunity to object to a new sub-processor on reasonable data-protection grounds.

5. Security of personal data

SenderKit will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as further described in Exhibit C. SenderKit will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data and will provide information reasonably available to it to help Customer meet its breach-notification obligations.

6. Transfers of personal data

Where the processing of Customer Personal Data involves a transfer out of the EEA, the UK, or Switzerland to a country that does not provide an adequate level of protection, the parties agree that the applicable Standard Contractual Clauses (and, for UK transfers, the UK International Data Transfer Addendum) are incorporated by reference and apply to that transfer.

7. Rights of data subjects

Taking into account the nature of the processing, SenderKit will provide reasonable assistance to enable Customer to respond to requests from data subjects to exercise their rights under Data Protection Laws. If SenderKit receives such a request directly, it will, where permitted, direct the data subject to Customer.

8. Actions and access requests; audits

SenderKit will, taking into account the nature of processing and the information available to it, assist Customer with data-protection impact assessments and consultations with supervisory authorities. SenderKit will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, subject to reasonable confidentiality, security, and frequency limits.

9. Customer’s role as a controller

Customer represents and warrants that it has provided all required notices, obtained all required consents, and otherwise has a lawful basis to collect and process Customer Personal Data and to authorize SenderKit’s processing under this DPA, as also set out in Sections 5 and 7 of the Terms.

10. Conflict

In the event of any conflict between this DPA and the Terms with respect to the processing of Customer Personal Data, this DPA controls, consistent with the order of precedence in Section 1.3 of the Terms.

11. Term and deletion

This DPA applies for as long as SenderKit processes Customer Personal Data. On termination or expiration of the Terms, SenderKit will delete or return Customer Personal Data in accordance with Section 13.5 of the Terms, except to the extent retention is required by law.

Exhibit A — Details of processing

  • Subject matter: provision of the Services under the Terms.
  • Duration: the term of the Terms plus any legally required retention period.
  • Nature and purpose:hosting, storing, transmitting, rendering, and routing messages and related data on Customer’s documented instructions.
  • Categories of data subjects:Customer’s personnel and Customer’s message recipients and end users.
  • Categories of Personal Data: identifiers and contact data (such as names, email addresses, and phone numbers), message content and variables submitted by Customer, and related delivery and engagement metadata. Special-category data is not permitted absent a separate written agreement (see Section 6.6 of the Terms).

Exhibit B — List of parties

Data exporter

The Customer identified in the account or applicable Order Form.

Data importer

Neurabyte LLC (dba SenderKit), 1309 Coffeen Avenue, STE 1200, Sheridan, WY 82801, United States. Contact: privacy@senderkit.com.

Exhibit C — Technical & organizational measures

SenderKit maintains measures designed to protect Customer Personal Data, including:

  • encryption of data in transit and, where appropriate, at rest;
  • access controls, least-privilege permissions, and support for multi-factor authentication;
  • logical separation of customer data and environment hardening;
  • logging, monitoring, and abuse-detection controls;
  • secure software-development and change-management practices; and
  • incident-response procedures and regular review of these measures.

Specific technical details of the production environment are available on request, subject to confidentiality.